Several fan control or hardware monitoring programs have been detected as threats by Microsoft, but this time it is really not a false alarm.

If you use some fan speed control or hardware monitoring programs, you may encounter threats that are detected and automatically isolated by Microsoft Defender. The label given by Microsoft is the hacking tool Winring0 (HackTool: Win32/Winring0).

Although Microsoft Defender often produces false positives, what is interesting is that this time it is not a false positive, because the WinRing0x64.sys driver called by these software does have security vulnerabilities.

WinRing0 is the hardware access library of Windows NT. It is mainly used to help software access I/O ports, MSR and PCI buses. Many software uses the open source LibreHardwareMonitorLib driver, which is WinRing0x64.sys.

The developer of the fan control project FanControl said:

Many of you reported that Microsoft Defender started flagging the LibreHardwareMonitorLib driver with WinRing0x64.sys, you don't need to report further as I am aware of this situation as well.

There are always known vulnerabilities in this kernel driver that can theoretically be exploited on an infected machine. The driver or software itself is not malicious, and the security will not be increased or decreased due to Microsoft detection. Before taking any action with Microsoft Defender (such as restoring and adding to the whitelist), it is best to check the risks first.

The CVE-2020-14979 vulnerability was discovered in these drivers as early as 2020. This vulnerability can be used to read and write arbitrary memory locations. This is a buffer stack overflow vulnerability. Hackers can use this vulnerability to obtain Windows NT system-level permissions.

Some developers stated in the issue that this vulnerability has been known for a long time, but if it is repaired, in addition to requiring a large amount of rewriting of kernel drivers, applications and interfaces, it will also need to purchase new digital signatures, which is relatively expensive for open source project developers.

In addition, we know that Microsoft has long been aware of this vulnerability and tightened the rules. Microsoft has previously notified various vendors to completely block this driver. It was initially planned to completely ban it in 2024, and then planned to ban it in January 2025. It is only now that Microsoft has implemented the ban.

However, according to the latest situation, Microsoft seems to be aware that disabling this driver may affect the normal use of many users, so Microsoft has temporarily lifted the interception of WinRing0x64.sys, but it will definitely continue to intercept it in the future.

The only thing the software developers who call this driver can do is to abandon this driver. For example, the security patch launched by Razer on February 20 deleted this driver. Razer users need to upgrade from Synapse3 to Synapse4. The new version no longer contains this driver.

View the discussion: https://github.com/LibreHardwareMonitor/LibreHardwareMonitor/issues/1660